CVE-2024-23805 is a high-severity vulnerability affecting F5 BIG-IP devices, specifically versions 15.1.0, 16.1.0, and 17.1.0. The vulnerability is classified under CWE-131, which relates to incorrect calculation of buffer size. This flaw arises within the Traffic Management Microkernel (TMM) component of BIG-IP when certain configurations are enabled. Specifically, the issue manifests when the HTTP Analytics profile with URLs enabled under Collected Entities is applied to a virtual server, and either of the database variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled. Similarly, for BIG-IP Advanced WAF and ASM modules, the vulnerability can be triggered when a DoS or Bot Defense profile is configured on a virtual server with these same DB variables enabled. These variables are not enabled by default, which somewhat limits exposure. Exploitation of this vulnerability causes the TMM process to terminate unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability does not impact confidentiality or integrity but severely affects availability. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and an impact limited to availability. No known exploits are currently reported in the wild, and the vulnerability affects supported versions only, excluding those that have reached End of Technical Support. The root cause is an incorrect buffer size calculation leading to a crash when processing specific undisclosed requests under the described configuration settings. This vulnerability underscores the importance of careful configuration management and patching in critical network infrastructure devices such as F5 BIG-IP, which are widely used for load balancing, application delivery, and security enforcement.

For European organizations, the impact of CVE-2024-23805 can be significant due to the widespread deployment of F5 BIG-IP devices in enterprise and service provider networks. The vulnerability leads to denial of service by crashing the TMM process, which handles traffic management and security functions. This can cause service outages, degraded application availability, and potential disruption of critical business operations, especially for organizations relying on BIG-IP for load balancing, web application firewall (WAF), and bot defense. Industries such as finance, telecommunications, healthcare, and government agencies in Europe that depend on high availability and secure application delivery are particularly at risk. The fact that exploitation requires no authentication or user interaction increases the threat level, as attackers can remotely trigger the crash by sending crafted requests to vulnerable virtual servers with the specified configurations. Although the vulnerability does not allow data theft or modification, the resulting downtime can lead to financial losses, reputational damage, and regulatory compliance issues under GDPR and other European data protection laws if services are disrupted. Additionally, the complexity of the configuration settings involved means some organizations may unknowingly enable the vulnerable options, increasing exposure. The absence of known exploits in the wild provides a window for proactive mitigation but also means organizations should act swiftly to audit configurations and apply patches once available.

1. Immediate configuration audit: European organizations should review their F5 BIG-IP configurations to identify any virtual servers using the HTTP Analytics profile with URLs enabled and check if the DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled. Since these variables are not enabled by default, disabling them if not strictly necessary can mitigate exposure. 2. Patch management: Monitor F5’s official advisories and apply vendor-provided patches or hotfixes as soon as they become available for the affected BIG-IP versions (15.1.0, 16.1.0, 17.1.0). 3. Network segmentation and filtering: Restrict access to management and virtual server interfaces to trusted networks and IP addresses to reduce the attack surface. 4. Deploy redundancy and failover: Ensure high availability configurations are in place so that if one BIG-IP device experiences a crash, traffic can be rerouted to backup devices minimizing downtime. 5. Monitoring and alerting: Implement enhanced logging and monitoring for TMM process crashes or unusual traffic patterns that could indicate exploitation attempts. 6. Disable unnecessary profiles: If DoS, Bot Defense, or HTTP Analytics profiles are not required, consider disabling them to reduce the attack surface. 7. Incident response readiness: Prepare playbooks for rapid response to potential denial of service incidents caused by this vulnerability. These steps go beyond generic advice by focusing on specific configuration variables and profiles implicated in the vulnerability and emphasizing proactive configuration management alongside patching.